1

I want that each user access to only their specific home directory via SFTP connection.

Example structure:

admin1 access to: /var/www/vhosts/vhost1
(optional)editor1 access to: /var/www/vhosts/vhost1/public

admin2 access to: /var/www/vhosts/vhost2
(optional)editor2 access to: /var/www/vhosts/vhost2/public

etc...
...`
Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
adampweb
  • 115
  • 1
  • 6

1 Answers1

0

Maybe you're referring to a Jail, a folder where a specific user will be confined.
I will try to resume an example of configuration:

1) Environment Preparation
You need to do some steps to prepare Jail environment. We have to respect some security limitations imposed by SSH (if you want, you can disable them, byt it's really a bad idea!).

  • Jail folder must be root-owned
  • Jail fodler cannot be group/others writable
  • .ssh/ folder must have modes 700
  • authorized_keys file must have modes 600

Let's assume you have a user whose username is echoes and whose home directory is /home/echoes/ and let's assume we want to confine it into its own home directory. Let's assume, as you say, we want to use an SFTP account with public-key authorization mechanism for it.

mkdir /home/echoes/.ssh
# write echoes public-key into /home/echoes/.ssh/authorized_keys
chown root /home/echoes/  
chmod 755 /home/echoes/  
chown -R echoes:echoes /home/echoes/.ssh/  
chmod 700 /home/echoes/.ssh/  
chmod 600 /home/echoes/.ssh/authorized_keys  

2) SSH Configuration
Now we need to match the user and confine it into its own home directory. So, let's open SSH Server configuration file:

vim /etc/ssh/sshd_config  

Enable the internal-sftp to manage sftp connections:

Subsystem sftp internal-sftp  

Copy-Paste following lines into sshd_config configuration file. We are saying: when you match echoes, just move it into the folder defined by ChrootDirectory (its onw home folder in this example).

Match user echoes  
    ChrootDirectory /home/echoes/ 
    ForceCommand internal-sftp

3) Allowing writing operations inside a sub-folder As you can see, the home folder of user is now root-owned, so echoes will not be able to write some files into it. For that reason, you can create a new sub-folder (i.e. echoes-write) allowing user to write inside it:

mkdir /home/echoes/echoes-write/
chown echoes:echoes /home/echoes/echoes-write/
chmod ug+w /home/echoes/echoes-write/  

4) Move automatically into its own writable folder

If you need to automatically:
Match user -> Move it into a Jail -> Move it automatically into its writable sub-folder of its own Jail, let me know and I will try to resume that scenario as configuration steps.
As you didn't write info about your system, I have made lots of assumptions.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Echoes_86
  • 752